The research is based on the hypothesis that human factors, such as biases and heuristics, have great influence on decision making in cyber security. Whereas rigorous decision practices are an important approach to overcome weak decisions (e.g., systematic statistical evaluation), the use of their results is influenced by human factors again, for instance, ignored because of convenience or underestimation of the risks.

We research to what extend a deliberate design of a choice architecture can improve security decision making. In particular, we apply this method to the area of bring your own device (BYOD) in SMEs, where the decisions of the users with respect to their devices impact the security of the overall system.